February 07, 2014

Evaluating your bank’s third-party vendors is critical to the security of its business and customer data. The bank could experience a data breach through a contractor or supplier—and never find out unless the contract required the vendor to notify you after a security event (or when your information turns up on Pastebin as happened to Twitter.)

Recent reports that breaches at Target Corp. and Yahoo Inc. stemmed from stolen vendor credentials underscore the importance of third-party security reviews to protect information assets.

Deena Coffman
Deena Coffman

The following vendors all have experienced a data breach in the past two years: Adobe, LexisNexis, Dunn & Bradstreet, Kroll Background America a/k/a HireRight, J.P. Morgan, State Farm, Kaiser Permanente and Epsilon. What if one of them was on your vendor list?

[For More On Vendor Security, Check Out: Banks Must Approach Third Party Contracting Differently in Today’s Highly Regulated Environment]

A bank’s future revenues and profitability are jeopardized when confidential business information is exposed through the disclosure of proprietary information or penalties for non-compliance with data breach and privacy regulations. For this reason, it’s important to make sure suppliers and contractors handle business information assets with the expected level of care. Third-party security reviews are widely adopted approach.

However a security review of every vendor isn’t necessary. So where to start?

1. First, look for your company’s most important information assets.

2. Next, determine which suppliers and contractors have access to those systems and/or data. To do this, build an information asset inventory. Then, map the data flow as sensitive information comes into your organization, is copied, processed or transferred, and then finally disposed.

3. Now that you know what you want to protect and where it is exposed, list all vendors with access to the exposure points. Remember to check systems, mobile devices, email, websites, databases, and access to facilities, such as those given to waste removal companies or maintenance services.

4. Once you understand which vendors have access to your information and which information is the most sensitive, rank as your first priority the vendors that have the greatest access to the most sensitive level of information. Request that those suppliers or contractors have a review of their security program as it pertains to the information they handle for you. For example, suppliers with recurring, persistent access to sensitive data would warrant a more in-depth review than a contractor with limited access to a subset of information. A full review would involve the physical, technical and administrative controls the organization has for information security and privacy.

Security is like a chain: It is only as strong as its weakest link. An exposure from a weak process or policy could render a large security technology investment ineffective. Conversely, for those circumstances where limited data exposure exists, a self-assessment and contractual protections may be more appropriate than a full review.

Suppliers can gain an advantage over the competition by establishing and demonstrating a strong security posture. They can perform assessments as part of their compliance programs to proactively show clients they’re mindful of security. And they can provide a report of the assessment, with confidential information removed, of course. Additionally, a strong security posture reduces the time and effort to move from proposal acceptance to contract; the process would take longer for vendors that still need to be vetted for security.

One word of caution, however, when using PCI compliance reports as security vetting tools. PCI pertains only to a set of standards that apply to payment card processing. It may or may not be relevant to the information and systems for which you need to have assurance. Compliance is not the same as security.

Because security standards generally permit risk management and not risk removal, contractual measures may be substituted. For example, if the security review would be greater than the value of the contract or where access or the amount of data is limited, it may be more advantageous to forego a required security review, and instead, specify some or all of the following in the contract:

• Indemnification against third-party claims, especially IP infringement • Limitations on liability • Responsibility during a breach for notification, legal defense and remediation (first- and third-party) • Insurance minimums • Information security requirements (such as mandatory encryption) • Assignment • Service-level agreements that support incident response needs • Incident response testing participation • Insurance o Data breach o Cyber liability

Risk managers may elect to avoid, transfer or accept information security risks rather than mitigate them through controls. In any event, it should be an informed, deliberate decision. Trust but verify because regardless of whether a data breach occurs at your facility or through a third-party supplier, your reputation and your revenue ultimately is at stake.

Deena Coffman is CEO of IDT911 Consulting.